On a rooted Android device or jailbroken iOS device, access the app's private storage directory (Android: /data/data/{package}; iOS: the app's Documents and Library sandboxed directories)
Inspect files stored by the app for clear-text sensitive data: examine SQLite databases, shared preferences XML files, .plist files, and log files
On iOS, check file protection attributes using a tool or API call to confirm sensitive files use NSFileProtectionComplete rather than NSFileProtectionNone or NSFileProtectionCompleteUntilFirstUserAuthentication
On Android, verify that sensitive data in SharedPreferences is not stored in world-readable mode and that any database holding sensitive data uses SQLCipher or equivalent encryption
Check for data leakage through system logs by running logcat (Android) or device syslog (iOS) while exercising the app's sensitive flows
Document findings against MASVS-STORAGE-1 (no sensitive data stored unnecessarily) and MASVS-STORAGE-2 (sensitive data adequately protected) controls
Known gotchas
iOS data protection classes only protect data when the device is locked; files with NSFileProtectionCompleteUntilFirstUserAuthentication are readable by malware running in the background after first unlock — prefer NSFileProtectionComplete for the most sensitive data
Android Backup allows app data to be extracted to a PC without root if android:allowBackup is true in the manifest; even encrypted storage is readable via ADB backup if backup is not explicitly disabled
Logs generated during development (verbose level) may persist in release builds if log level guards are not enforced at build time; always review ProGuard/R8 rules and iOS build configurations to confirm debug logging is stripped
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp